INTERNATIONAL

STANDARD

ISO
22301
First edition
2012-05-15

Societal security Business continuity

management systems Requirements
Scurit socitale Gestion de la continuit des affaires Exigences

Reference number
ISO 22301:2012(E)

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012

ISO 22301:2012(E)

COPYRIGHT PROTECTED DOCUMENT

ISO 2012

Tel. + 41 22 749 01 11
Web www.iso.org

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ii

ISO 2012 All rights reserved

ISO 22301:2012(E)

Contents
Foreword ............................................................................................................................................................................ iv
0 Introduction ..................................................................................................................................................................... v
0.1 General .......................................................................................................................................................................... v
0.2 The Plan-Do-Check-Act (PDCA) model ................................................................................................................ v
0.3 Components of PDCA in this International Standard ...................................................................................... vi
1

Scope ...................................................................................................................................................................... 1

Normative references ......................................................................................................................................... 1

......................................................................................................................................... 1

4
4.1
4.2
4.3
4.4

Context of the organization .............................................................................................................................. 8

Understanding of the organization and its context.................................................................................... 8
Understanding the needs and expectations of interested parties ......................................................... 9
Determining the scope of the business continuity management system ........................................... 9
Business continuity management system ................................................................................................. 10

5
5.1
5.2
5.3
5.4

Leadership........................................................................................................................................................... 10
Leadership and commitment ......................................................................................................................... 10
Management commitment............................................................................................................................... 10
Policy .................................................................................................................................................................... 11
Organizational roles, responsibilities and authorities ............................................................................ 11

6
6.1
6.2

Planning ............................................................................................................................................................... 12
Actions to address risks and opportunities............................................................................................... 12
Business continuity objectives and plans to achieve them .................................................................. 12

7
7.1
7.2
7.3
7.4
7.5

Support................................................................................................................................................................. 12
Resources ........................................................................................................................................................... 12
Competence ........................................................................................................................................................ 13
Awareness ........................................................................................................................................................... 13
Communication .................................................................................................................................................. 13
Documented information................................................................................................................................. 14

8
8.1
8.2
8.3
8.4
8.5

Operation ............................................................................................................................................................. 15
Operational planning and control ................................................................................................................. 15
Business impact analysis and risk assessment ....................................................................................... 15
Business continuity strategy ......................................................................................................................... 16
Establish and implement business continuity procedures ................................................................... 17
Exercising and testing ..................................................................................................................................... 19

9
9.1
9.2
9.3

Performance evaluation................................................................................................................................... 19
Monitoring, measurement, analysis and evaluation ................................................................................ 19
Internal audit ....................................................................................................................................................... 20
Management review .......................................................................................................................................... 21

10
10.1
10.2

Improvement ....................................................................................................................................................... 22
Nonconformity and corrective action .......................................................................................................... 22
Continual improvement ................................................................................................................................... 23

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

Bibliography ..................................................................................................................................................................... 24

ISO 2012 All rights reserved

iii

ISO 22301:2012(E)

Foreword

Societal security.

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

iv

ISO 2012 All rights reserved

ISO 22301:2012(E)

0 Introduction
0.1 General

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

0.2 The Plan-Do-Check-Act (PDCA) model

management systems
management systems

ISO 2012 All rights reserved

Quality
Environmental management systems
Information security
Information technology Service management

ISO 22301:2012(E)

Continual improvement of business continuity

management system (BCMS)

Establish
(Plan)

Interested
parties

Interested
parties

Maintain and
improve
(Act)
Requirements
for business
continuity

Implement
and operate
(Do)

Monitor and
review
(Check)

Managed
business
continuity

Figure 1 PDCA model applied to BCMS processes

Table 1 Explanation of PDCA model
Plan

Do
procedures.
Check

Act

0.3 Components of PDCA in this International Standard

cover the following components.

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

vi

ISO 2012 All rights reserved

ISO 22301:2012(E)

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

vii

--`````,`,,`````````,`,```,

INTERNATIONAL STANDARD

ISO 22301:2012(E)

Societal security Business continuity management

systems Requirements
1 Scope

2 Normative references
-

3.1
activity

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

ISO 22301:2012(E)

3.2
audit

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

3.3
business continuity
following disruptive incident
[SOURCE: ISO 22300]
3.4
business continuity management

3.5
business continuity management system
BCMS

3.6
business continuity plan

3.7
business continuity programme

3.8
business impact analysis
[SOURCE: ISO 22300]
3.9
competence
3.10
conformity
[SOURCE: ISO 22300]

ISO 2012 All rights reserved

ISO 22301:2012(E)

3.11
continual improvement
[SOURCE: ISO 22300]
3.12
correction
[SOURCE: ISO 22300]

[SOURCE: ISO 22300]

3.14
document

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

3.13
corrective action

3.15
documented information

3.16
effectiveness
[SOURCE: ISO 22300]
3.17
event

ISO 2012 All rights reserved

ISO 22301:2012(E)

3.18
exercise

[SOURCE: ISO 22300]

3.19
incident
[SOURCE: ISO 22300]
3.20
infrastructure
3.21
interested party
stakeholder

3.22
internal audit

3.23
invocation

3.24
management system

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

ISO 22301:2012(E)

3.25
maximum acceptable outage
MAO

3.26
maximum tolerable period of disruption
MTPD

3.27
measurement
3.28
minimum business continuity objective
MBCO

3.29
monitoring

3.30
mutual aid agreement
[SOURCE: ISO 22300]
3.31
nonconformity
[SOURCE: ISO 22300]
3.32
objective

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

ISO 22301:2012(E)

3.33
organization

3.34
outsource (verb)

process is within the scope.

3.35
performance

3.36
performance evaluation
3.37
personnel

3.38
policy

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

3.39
procedure
3.40
process
3.41
products and services

3.42
prioritized activities

[SOURCE: ISO 22300]

ISO 2012 All rights reserved

ISO 22301:2012(E)

3.43
record
3.44
recovery point objective
RPO

3.45
recovery time objective
RTO

resources must be recovered

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

3.46
requirement

3.47
resources

3.48
risk

ISO 2012 All rights reserved

ISO 22301:2012(E)

3.49
risk appetite
3.50
risk assessment

3.51
risk management

3.52
testing

[SOURCE: ISO 22300]

3.53
top management

3.54

3.55
work environment
set of conditions under which work is performed

[SOURCE: ISO 22300]

4 Context of the organization

4.1

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`-

Understanding of the organization and its context

ISO 2012 All rights reserved

ISO 22301:2012(E)

4.2

Understanding the needs and expectations of interested parties

4.2.1

General

4.2.2

Legal and regulatory requirements

4.3
4.3.1

Determining the scope of the business continuity management system

General

ISO 2012 All rights reserved

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 22301:2012(E)

4.3.2

4.4

Scope of the BCMS

Business continuity management system

5 Leadership
Leadership and commitment

5.2

Management commitment

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

5.1

10

ISO 2012 All rights reserved

5.3

Policy

5.4

Organizational roles, responsibilities and authorities

ISO 2012 All rights reserved

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 22301:2012(E)

11

ISO 22301:2012(E)

6 Planning
6.1

b)

6.2

Actions to address risks and opportunities

how to

Business continuity objectives and plans to achieve them

7 Support
7.1

12

Resources

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

ISO 22301:2012(E)

7.2

Competence

7.3

Awareness

d)

7.4

their own role during disruptive incidents.

Communication

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

13

ISO 22301:2012(E)

7.5

Documented information

7.5.1

General

the competence of persons.

7.5.2

Creating and updating

7.5.3

Control of documented information

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

14

ISO 2012 All rights reserved

ISO 22301:2012(E)

8 Operation
8.1

Operational planning and control

8.2

Business impact analysis and risk assessment

8.2.1

General

order in which these will be conducted.

8.2.2

Business impact analysis

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

15

ISO 22301:2012(E)

8.2.3

Risk assessment

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.3

Business continuity strategy

8.3.1

Determination and selection

8.3.2

Establishing resource requirements

16

ISO 2012 All rights reserved

ISO 22301:2012(E)

8.4

Protection and mitigation

Establish and implement business continuity procedures

8.4.1

General

8.4.2

Incident response structure

ISO 2012 All rights reserved

17

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.3.3

ISO 22301:2012(E)

Warning and communication

8.4.4

Business continuity plans

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.4.3

18

ISO 2012 All rights reserved

ISO 22301:2012(E)

8.5

Recovery

Exercising and testing

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

8.4.5

9 Performance evaluation
9.1
9.1.1

Monitoring, measurement, analysis and evaluation

General

ISO 2012 All rights reserved

19

ISO 22301:2012(E)

Evaluation of business continuity procedures

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

9.1.2

9.2

20

Internal audit

ISO 2012 All rights reserved

ISO 22301:2012(E)

9.3

Management review

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

21

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 22301:2012(E)

10 Improvement
10.1 Nonconformity and corrective action

22

ISO 2012 All rights reserved

ISO 22301:2012(E)

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

10.2 Continual improvement

ISO 2012 All rights reserved

23

ISO 22301:2012(E)

Bibliography
Quality management systems Requirements
Environmental management systems Requirements with guidance for use
Guidelines for auditing management systems
Information Technology Service Management
Societal security Terminology
Societal security Guideline for incident preparedness and operational continuity
management
Information technology Security techniques Guidelines for Information and
communications technology disaster recovery services
Information Security Management Systems
Information technology Security techniques Guidelines for information and
communication technology readiness for business continuity
Risk Management Principles and Guidelines
Risk management Risk assessment techniques
Risk management Vocabulary
Business continuity management Code of practice

Security and continuity management systems Requirements and guidance for use
Standard on disaster/emergency management and business continuity programs
[17]

Business Continuity Plan Drafting Guideline

Business Continuity Guideline
Organizational Resilience: Security, Preparedness, and Continuity Managements
Systems Requirements with Guidance for Use
Singapore Standard for Business
Continuity Management

[20]

24

Business Continuity Management Systems: Requirements with Guidance for Use

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 2012 All rights reserved

--`````,`,,`````````,`,```,,,-`-`,,`,,`,`,,`---

ISO 22301:2012(E)

ICS 03.100.01
--`````,`,,`````````,`,```,,,-`-`,

ISO 2012 All rights reserved